Research

Despite my intensive research into cryonics, I have to accept that someday I will die. Permanently. I don’t know when, where, or how, but someday I will cease to exist. Heck, even if I do manage to freeze myself (did you know one of the biggest cryonincs companies is only 20 minutes from my house?), get resurrected into a cloned 20-year-old version of myself, and eventually upload my consciousness into a supercomputer (so I can play Skynet, since I don’t really like most people) I have to accept that someday Mother Entropy will bitch slap me with the end of the universe. There are many inevitabilities in life, and it’s often far easier to recognize these end results than the exact path that leads us to them. Denial is often closely tied to the obscurity of these journeys; when you can’t see how to get from point A to point B (or from Alice to Bob, for you security geeks), it’s all too easy to pretend that Bob Can’t Ever Happen. Thus we find ourselves debating the minutiae, since the result is too far off to comprehend. (Note that I’d like credit for not going deep into an analogy about Bob and Alice inevitably making Charlie after a few too many mojitos). Security includes no shortage of inevitabilities. Below are just a few that have been circling my brain lately, in no particular order. It’s not a comprehensive list, just a few things that come to mind (and please add your own in the comments). I may not know when they’ll happen, or how, but they will happen: Everyone will use some form of NAC on their networks. Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely won’t be magnetic strips. Everyone will use some form of DLP, we’ll call it CMP, and it will only include tools with real content analysis. Log management and SIEM will converge into single products. Completely. UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore. Virtualization and information-centric security will totally fuck up network security, especially internally. Any critical SCADA network will be pulled off the Internet. Database encryption will be performed inside the database with native functionality, with keys managed externally. The WAF vs. secure development debate will end as everyone buys/implements both. We’ll stop pretending web application and database security are different problems. We will encrypt all laptops. It will be built into the hardware. Signature AV will die. Mostly. Chris Hoff will break the cloud. Share:

We’ve been hinting at it over Twitter and in other blog posts, but it’s official. We’re sponsoring our First Annual Recovery Breakfast Wednesday morning at the RSA conference (8-11 am at Jillian’s). We’ll have hot and cold food, a selection of over-the-counter recovery items, and the hair of the dog of your choice. No marketing, speeches, or anything else (especially since we’ll be in rough shape ourselves). Since we have no idea how many people might show up, we’re asking you to RSVP if you think there’s a reasonable chance you’ll make it. To add a bit of incentive, we will be randomly selecting one RSVP to win a Chumby. You still have to show up to win, but we’ll pre-select your name so you don’t have to be there at any particular time. Just email us at rsvp@securosis.com. (We’ll need the winner’s real address to ship it to you, since it takes too much space in our bags, but we’ll just collect that at the event. We hope you’ll be able to join us, and we’ll see you at the show… Share:

It was nearly three years ago that I started the Securosis blog. At the time I was working at Gartner, and curious about participating in this whole “social media” thing. Not to sound corny, but I had absolutely no idea what I was getting myself into. Sure, I knew it was called social media, but I didn’t realize there was an actual social component. That by blogging, linking to others, and participating in comments, we are engaging in a massive community dialogue. Yes, since becoming an analyst I’ve had access to all the little nooks of the industry, but there’s just something about a public conversation you can’t get in a closed ecosystem. Don’t get me wrong- I’m not criticizing the big research model- I could never do what I am now without having spent time there, and I think it offers customers tremendous value. But for me personally, as I started blogging, I realized there were new places to explore. At Gartner I learned an incredible amount, had an amazingly good time, and made some great friends. But part of me (probably my massive ego) wanted to engage the community beyond those who paid to talk to me. Thus, after seven years it was time to move on and Securosis the blog became Securosis, L.L.C.. I didn’t really know what I wanted to do, but figured I’d pick up enough consulting to get by. I didn’t even bother to change my little WordPress blog, other than adding a short company page. It’s now nearly two years since jumping ship without a paddle, boat, lifejacket, any recognizable swimming skills, or a bathing suit. We’ve grown more than I imagined, had a hell of a lot of fun, posted hundreds of blog entries, authored some major research reports, and practically redefined the term “media whore”. But we still had that nearly unreadable white-text-on-black-background blog, and if you wanted to find specific content you had to wade through pages of search results. Needless to say, that’s no way to run a business, which is why we finally bit the bullet, invested some cash, and rebuilt the site from scratch. For months now we’ve been blogging less as we spent all our spare cycles on the new site (and, for me, having a kid). I realize we’ve been going on and on about it, but that’s merely the byproduct of practically crapping our pants because we’re so excited to have it up. We can finally organize our research, help people learn more about security, and not be totally embarrassed by running a corporate site that looked like some idiot pasted it together while bored one weekend. Which it was. I asked Adrian for some closing thoughts, and I absolutely promise this will be the last of our self-congratulatory, self-promotional BS. The next time you hear from us, we’ll actual put some real content back out there. -Rich Some of you may not know this, but I had been working with Rich for a couple of months before most people noticed. Learning that was unsettling! I was not sure if our writing was close enough that people could not tell, or worse, no one cared. But we soon discovered that the author names for the posts was not always coming up so people assumed it was Rich and not Chris or myself. It was several months later still when I learned that the link to my bio page was broken and was not viewable on most browsers. We were getting periodic questions about what we do here, other than blog on security and write a couple white papers, as lots of regular readers did not know. It never really dawned on Rich or I, two tech geeks at heart, to go look at how we presented ourselves (or in this case, did not present ourselves). When a couple business partners brought it up, it was a Homer Simpson “D’oh” moment of self-realization. Rich and I began discussing the new site October of last year, and as there was a lot of stuff we wanted to provide but could not because WordPress was simply not up to the challenge, we knew we needed a complete overhaul. And we still were getting complaints that most people had trouble reading the white text on black background. Yes, part of me will miss the black background ..It kind of conveyed the entire black hat mind set; breaking stuff in order to teach security. It embodied the feeling that “yeah, it may be ugly, but it’s the truth, so get used to it”. Still, I do think the new site is easier to read, and it allows us to better provide information and services. Rich and I are really excited about it! We have tons of content we need to tune & groom before we can put it public into the research library, but it’s coming. And hopefully our writing style will convey to you that this blog is an open forum for wide open discussion of whatever security topic you are interested in. Something on your mind? Bring it! -Adrian And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: I wrote the cover story on DLP for this month’s Information Security Magazine. They never told me it was the cover, so that was a very pleasant surprise. Martin and I had a guest interview on Hacker Spaces for this week’s Network Security Podcast. I did an interview for the New York Times on Mac security. It raised so much controversy that they did a follow on article, with our friend Dino Dai Zovi. I did an interview with Bill Brenner of CSO Magazine on federal cybersecurity and the latest congressional hearings. I also did a podcast with Dennis Fisher at ThreatPost on a bunch of topics, including Conficker. Wondered where Adrian was in the press, and considered revoking his whore status. Favorite Securosis Posts: Rich: Our new site announcement. I swear we’ll get over

If you can read this, you’ve found the brand spanking new Securosis! We’d call it Securosis 2.0, but we hate all that “2.0” stupidity. (We also hate “next generation”, for the record). If I was in the terrain park I’d say I’m totally stoked, but since I’m only sitting at home in the office I’ll have to settle for really fracking excited! We’ve been working on this for months, and we sure as heck hope you like it. There are a ton of new features, and we moved over to a new platform to support all sorts of goodness down the road. We know not everything is quite perfect yet, but we think we’re off to a great start and it’s far more functional than the old site. Aside from the platform switch, the biggest addition is the Securosis Research Library. We know a lot of people come here to learn about the topics we cover, and rather than forcing you to crawl through a search engine we wanted one nice area that guides you exactly to what you’re looking for. We have one page per topic, with all the best things we’ve written or recorded on that subject, in a recommended reading order. You can even subscribe to it as an RSS feed and it will stay current in your reader. Right now we have only a handful+ of pages in there, but our goal is to flush it out with all the topics we cover, at the rate of 1-2 per week. We’re also adding content, such as presentations, on a daily basis as we get everything converted. We now have a much better search engine and a cool tag cloud, and we’ve completely reorganized how we publish our whitepapers and other major content (you can find it in the Research Library). For those of you who have registered here before, we pulled your user accounts over but killed your passwords. Just click on this link to reset your password and you’ll be right back in. Finally, we know some of you were getting updates via email. We couldn’t migrate that over, but we set up a sweet new Daily Digest using MailChimp. I’m totally friggen’ exhausted, so with that I’m going to grab a beer, go to sleep, and see what’s broken in the morning. I’d like to thank Insight Design for our awesome look, and Adam Khan of Engaging.net for all the help getting things running. Need. Beer. Now. Share:

We are putting the final touches on the new site and should be launching it within the next 24 hours. Being the eternal optimists, we’re pretty sure something will go wrong, but maybe we’ll luck out and those beers we bought the migration gods will pay off. We’re pretty excited- aside from moving us off the Mogull Special design template, we’re switching to a more secure system, adding a bunch of features, and finally organizing all our content. Thursday’s move is only the first step- we’re already working on some additional content and features we hope you’ll like. If you subscribe to Feedburner RSS you won’t notice any changes. After this move we won’t be pointing people to Feedburner anymore, but we’ll keep it active. We don’t think we have any direct subscribers, but if you happen to use a non-Feedburner feed, you’ll need to visit the new site and re-subscribe. Otherwise, the transition should go smoothly, but we hope you RSS only readers will still come and check out the new site (and features). **If you subscribe to the email updates** We’re changing to an entirely new email system and your subscription may not carry over. Yeah, it stinks, but we didn’t have many options. If you get emails of our feed from Feedburner you won’t notice any changes. If you subscribed directly on the site, you’ll need to visit the new site and sign up again- we have a big link right there on the blog page (on the right side), and all you need to enter is an email address. Wish us luck- we’ll need it! And don’t forget to visit the new site… same address, more pizzaz. (not more pizzas, which would probably get us more readers) Share:

Just a quick note today since I’m totally distracted by having some family in town. Episode 144 is up and features Dino Dai Zovi… co-author of The Mac Hackers Handbook. It’s a great interview, especially if you are interested in Mac security issues. We also discuss the No More Free Bugs meme. You can download the episode here… Share:

We’ve been talking a lot about application security since we started this blog, and one thing we’ve been tracking closely are training and certification programs. While we couldn’t talk about it, we’ve been quietly involved with the Institute for Certified Application Security Specialists. We reviewed the program during development, and were overall pretty impressed. It has very similar requirements to the CSSLP, but is more cost effective for security practitioners… something we can all appreciate in this economy. Believe it or not, despite my not-infrequent diatribes against various certifications, I actually went through the process myself and am fully certified. What I really appreciate is how pragmatic the program is, and how it really reflects the operational realities of application security. You can get more information at the Institute for Certified Application Security Specialists, and as a member of the affiliate program Securosis readers receive a 10% discount. Oh- and don’t forget to join the LinkedIn Group! Share:

Update: Dan just let me know that Tillmann Werner and Felix Leder have been working on this for 5 months! Dan came in (and then brought me in) only on Friday. They deserve major credit and thanks for this impressive work. Also, Nmap (which is still free) and the free feed of Nessus have their signatures out for those of you that don’t have an enterprise product. Ever since last year, I always get a little nervous when Dan Kaminsky starts asking me certain questions over Twitter. Last time it was the DNS vulnerability, and this time it was something not as big, yet still extremely cool. Some researchers with the Honeynet Project (Tillmann Werner and Felix Leder) discovered a way to remotely (as in via network scan) detect Conficker infections. It seems that whoever is behind Conficker attempts to patch the MS08-067 vulnerability when they infect a system so no other attackers can get in. The patch is flawed, causing a specific response to network probes. Yes folks, this means you can tell if a system is infected with Conficker just by scanning it. Now how cool is that?   < p>The HoneyNet guys contacted Dan for some help, and then he contacted me to get connected with the major scanning vendors. I called Adrian, and we managed to wrangle up nCircle, McAfee, nCircle, Nmap, Qualys, and Tenable (Nessus) and most have already incorporated, or are about to incorporate, Conficker sigs for their scanners. I think Dan is giving me too much credit in his post; all I did was connect the right people with each other; I wasn’t involved in the tool creation or testing. (We did shoot for some other vendors, but didn’t have the right contacts). I know Dan, the HoneyNet guys, and the vendor research teams all put in a heck of a lot of time on this over the weekend. Here’s what you enterprise guys need to know: There is a free proof-of-concept tool available from the HoneyNet Project, or you can contact your network vulnerability assessment vendor to see if they have an updated signature. This should work on all Conficker variants. (I suspect that won’t last long). The “Know Your Enemy” paper will be released by the HoneyNet Project in the next couple of days, with far greater detail. This doesn’t guarantee you will detect all infections, but it’s a powerful way to reduce your risk. We recommend you start scanning immediately if you have the slightest worry over Conficker. Expect the tools to undergo a series of updates in the next few days as we all learn more. This really is hot-out-of-the-oven stuff that still needs to settle in. The next phase will be to include this in NAC products for pre-connect scanning. That’s about it- simple enough! If you start using these and find anything interesting, please come back and post it in the comments. Share:

It is absolutely amazing how quickly time can rush past during the most momentous moments of your life. It was over three weeks ago that my daughter was born, and I’m still trying to figure out what the f&*% just happened. A lot of people made it sound like my life would suddenly crash to a halt as I vaulted into some other dimension of existence, but the changes, while massive, are also far more subtle and confusing. Needless to say, I blame the reduced sleep (which still isn’t as bad as it was in paramedic school). While my personal life is changing, so is the world that is Securosis. You may have noticed my nearly complete lack of blogging the past couple of weeks. While I’d like to blame The Nugget, our changes on the corporate side are just as big. We’re close (oh so very close) to unveiling our new website, a major new public project, and a big influx of content. We’re so close that this blog is officially in maintenance mode as we get the last of the old content transferred to the new site, our templates cleaned up, and new content filled in. And the refresh is just the start; as we get the new site stable we are going to keep adding features and content, the vast majority of which will be, as always, free. On a related note, we’re also working on our RSA schedules, and when the new site launches we will officially announce the Securosis Recovery Breakfast. I’d like to say we’re giving back to the community, but the truth is we’ll need the hangover relief just as badly as any of you. And now for the week in review… at least what little of it I managed to notice: Webcasts, Podcasts, Outside Writing, and Conferences: Rich presented “Building a Web Application Security Program” at the Phoenix SANS training. We’ll get it posted once we transfer over to the new site. Rich and Martin hosted another episode of The Network Security Podcast this week, covering some of the CanSecWest news and other happenings. Favorite Securosis Posts: Rich: Adrian’s CanSecWest Highlights. I really need to go next year. Adrian: My post on Security Speedbumps. Favorite Outside Posts: Adrian: Gunnar Peterson on security people in software development. Rich: John Gruber, at Daring Fireball, on Obsession Times Voice. This is pretty much the most important thing John has written about in a long time. Flat out- if you blog and are obsessed with numbers, you won’t achieve your goals. I barely check our stats, maybe once every other month, and once missed the fact that we had no stats for 3 or 4 months. It’s your passion for writing that brings in readers, not pandering for page views. Top News and Posts: Botnet targets modems and routers. Yowza. Symantec drops call center after (manual) security breach. Good move on their part, as a security company they can’t screw around with situations like this. Bad hacker stole $10M from banks. Using SQL injection. In 2008. Pardon my language, but how fucking stupid do you need to be to allow SQL injection at a financial institution in 2008?!?! Jesus people, I realize security is hard but we don’t have to give them our fracking wallets on a silver platter. With a mint. It’s Cisco IOS Patch day. Blog Comment of the Week: Dre on Security Speedbumps: No No No No No. Layers and defense-in-depth do not work unless you know YOUR OWN risks and point-solution defenses match the risks. “Layering for layering’s sake” does get adversaries poking right through billions of expensive layers. Don’t tempt me to argue against every point in this rant — you just set yourself up for massive failure. Share:

I’ve been out at the Phoenix SANS event so I almost forgot to post this… I’ll be presenting on endpoint encryption from 2-3 ET today. The event is sponsored by WinMagic, and you can register here. I’ll be covering the basics of endpoint encryption- a little bit on why you should do it (I think most of you have heard me say “just encrypt your freaking laptops” by now), an overview of the technology, and enterprise concerns and best practices. I’ll also spend some time talking about how to mix file/folder and full drive encryption. This one is targeting people without much of a background in endpoint encryption and is mostly introductory material. Share: